b'   U.S. ELECTION ASSISTANCE COMMISSION\n        OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                       FINAL REPORT:\n              U.S. ELECTION ASSISTANCE COMMISSION\n\n     EVALUATION OF COMPLIANCE WITH THE REQUIREMENTS OF\n     THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT\n\n                       FISCAL YEAR 2013\n\n\n\n\nNO. I-PA-EAC-02-13\nSEPTEMBER 2013\n\x0c                         U.S. ELECTION ASSISTANCE COMMISSION\n                                 OFFICE OF INSPECTOR GENERAL\n                                1201 New York Ave. NW - Suite 300\n                                      Washington, DC 20005\n\n\n\n\nMemorandum\n\n                                                                    September 19, 2013\n\nTo:        Alice Miller\n           Acting Executive Director\n\nFrom:      Curtis W. Crider\n           Inspector General\n\nSubject:   Final Report \xe2\x80\x93U.S. Election Assistance Commission\xe2\x80\x99s Compliance with the\n           Requirements of the Federal Information Security Management Act (Assignment No.\n           I-PA-EAC-02-13)\n\nIn accordance with the Federal Information Security Management Act (FISMA), the Office of\nInspector General (OIG) engaged Leon Snead & Co. P.C., an independent certified public\naccounting firm, to conduct an audit of the U.S. Election Assistance Commission\xe2\x80\x99s (EAC)\ncompliance with the OMB Circular A-130 and FISMA requirements. The audit included\nassessing the EAC\xe2\x80\x99s effort to develop, document, and implement an agency-wide program to\nprovide information security for the information and information systems that support the\noperations and assets of the EAC.\n\nLeon Snead & Co. found that the EAC was in substantial compliance with FISMA requirements.\nThe EAC had developed an agency-wide IT security program based upon assessed risk, and the\nsecurity program provided reasonable assurance that the agency\'s information and information\nsystems were appropriately protected.\n\nThe legislation creating the Office of Inspector General requires that we report to\nCongress semiannually on all audit reports issued, actions taken to implement our\nrecommendations, and recommendations that have not been implemented.\n\nIf you have any questions regarding this report, please call me at (202) 566-3125.\n\x0cU.S. Election Assistance Commission\n       Compliance with the Requirements of\n\n\n the Federal Information Security Management Act\n\n\n\n                  Fiscal Year 2013\n\n\n\n\n\n\n                     Submitted By\n\n\n\n               Leon Snead & Company, P.C.\n\n\n  Certified Public Accountants & Management Consultants\n\x0c                                                                                              Certified Public Accountants\nLEON SNEAD ______ ____________________________________________________________\n&COMPAN~P.C.\n                                                                 & Management Consultants\n\n416 Hungerford Drive , Suite 400\nRockville. Maryland 20850\n301-738-8190\nfax: 301 -738-8210\nleoTIsnead .companypc@erols.com\n\n\n\n\n                                                                 September 13, 2013\n\n\n\n            Mr. Curtis W. Crider \n\n            Inspector General \n\n            U.S. Election Assistance Commission \n\n            1440 New York Ave, N.W., Suite ISO \n\n            Washington, DC 20005 \n\n\n            Dear Mr. Crider:\n\n            Enclosed is the final U. S. Election Assistance Commission\' s (EAC) audit report, Compliance\n            with the Requirements of the Federal Information Security Management Act, (FISMA) for fiscal\n            year 2013. The report shows that EAC was in substantial compliance with FISMA requirements.\n\n            We appreciate the courtesies and cooperation provided by EAC during the audit.\n\n\n                                                                 Sincerely,\n\n                                                             )\n                                                             ~nead\n                                                                  \'--\'4-)     ~       -c/\n                                                                 Partner\n\x0c                                                     TABLE OF CONTENTS\n\n\n\n\n\n\n                                                                                                                                            Page\n\n\nIntroduction ......................................................................................................................................1 \n\nObjective, Scope and Methodology.................................................................................................1 \n\n\nSummary of Audit............................................................................................................................2 \n\n\nAppendix 1 \xe2\x80\x93 Status of Prior Year Findings....................................................................................3 \n\n\nAppendix 2 \xe2\x80\x93 Agency Response to Draft Report.............................................................................4 \n\n\n\n\n\nLeon Snead & Company, P.C.                                                i\n\x0cIntroduction\n\nLeon Snead & Company, P.C. has completed an audit of EAC\xe2\x80\x99s Information Technology (IT)\nsecurity program for fiscal year 2013. Title III of the E-Government Act, entitled the Federal\nInformation Security Management Act (FISMA) requires each Federal agency to develop,\ndocument, and implement an agency-wide program to provide security for information and\ninformation systems that support the operations and assets of the agency, including those systems\nmanaged by another agency or contractor. FISMA, along with the Paperwork Reduction Act of\n1995 and the Information Technology Management Reform Act of 1996, emphasize a risk-based\npolicy for cost-effective security. In support of and reinforcing this legislation, the Office of\nManagement and Budget (OMB) through Circular A-130, Management of Federal Information\nResources, Appendix III, Security of Federal Automated Information Resources, requires\nexecutive agencies within the Federal government to:\n\n    \xe2\x80\xa2\t\t   Plan for security;\n    \xe2\x80\xa2\t\t   Ensure that appropriate officials are assigned security responsibility;\n    \xe2\x80\xa2\t\t   Periodically review the security controls in their information systems; and\n    \xe2\x80\xa2\t\t   Authorize system processing prior to operations and, periodically, thereafter.\n\nThe EAC is an independent, bipartisan agency created by the Help America Vote Act (HAVA)\nto assist in the effective administration of Federal elections. In October 2002, Congress passed\nHAVA to invest in election infrastructure and set forth a comprehensive program of funding,\nguidance, and ongoing research. To foster those programs and to promote and enhance voting\nfor United States Citizens, HAVA established the EAC. EAC\xe2\x80\x99S mission is to assist in the\neffective administration of Federal elections. The agency is charged with developing guidance to\nmeet HAVA requirements, adopting voluntary voting systems guidelines, and serving as a\nnational clearinghouse of information about election administration. EAC also accredits testing\nlaboratories and certifies voting systems and audits the use of HAVA funds.\n\nObjective, Scope and Methodology\n\nThe objective of our audit was to assess whether the EAC had developed, documented, and\nimplemented an agency-wide information security program, as required by OMB Circular A-130\nand FISMA. To accomplish this objective, we selected a sample of controls contained in NIST\nSP 800-53 (rev 3), Recommended Security Controls for Federal Information Systems and\nOrganizations, for a moderate risk system, and:\n\n    \xe2\x80\xa2\t\t Reviewed IT security program policies and procedures issued by the agency;\n    \xe2\x80\xa2\t\t Performed tests on the agency\xe2\x80\x99s general support system to determine whether the agency\n        had implemented required management, operational and technical controls;\n    \xe2\x80\xa2\t\t Met with EAC officials, observed IT security operations, and performed various tests of\n        IT controls implemented by the agency;\n    \xe2\x80\xa2\t\t Performed independent vulnerability scans of the agency\xe2\x80\x99s internal network; and\n    \xe2\x80\xa2\t\t Reviewed the continuous monitoring program established by the agency.\n\n\n\n\nLeon Snead & Company, P.C.\t\t                       1\n\x0cWe conducted this audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objectives. Other criteria used in the audit included the\nNational Institute of Standards and Technology (NIST) guidance, and OMB Memoranda. The\naudit was performed during the period May through August 2013.\n\nSummary of Audit\n\nBased upon our audit tests as described above, overall, we concluded that EAC was in\nsubstantial compliance with FISMA requirements. We determined that EAC had developed an\nagency-wide IT security program based upon assessed risk, and the security program provided\nreasonable assurance that the agency\'s information and information systems are appropriately\nprotected.\n\nWe have included the agency\' s comments to the draft report as Appendix 2.\n\n\n\n\nJ- .".~e...Jl-\'6 c,ot"\'PA.,.s7 I fc....\n~ Snead & Company, P.C.\nAugust 23 , 2013\n\n\n\n\nLeon Snead & Company, P. C.                    2\n\x0c                                                                                Appendix 1\n\n\n                     Status of Prior Year Findings and Recommendations\n\n\n\n                   Prior Year Finding                                 Status\n\n  Vulnerability scans that we performed during the audit Actions taken by EAC addressed this\n  of EAC\xe2\x80\x99s general support system identified several issue. Closed.\n  critical and high risk vulnerabilities that had not been\n  remediated. We attributed this issue to the need for\n  improved monitoring and coordination of patch\n  management efforts. As a result, some vulnerabilities\n  remained within the system even though there were\n  \xe2\x80\x9cpatches\xe2\x80\x9d and other actions available to fix the\n  security issues.\n\n\n\n\nLeon Snead & Company, P.C.                   3\n\x0c                                                                                    Appendix 2\n\n                                 US Election Assistance Commission\n                                 1201 New York Ave. NW - Suite 300\n                                 Washington, DC 20005\n\n\n\n\nMEMORANDUM\n\nTO: \t        Curtis Crider\n             Inspector General\n\nFROM: \t      Alice P. Miller   \') ;;~\'1\n                             I r \' ~\n                                        .\n                                        j}\n\n             COO and Acti8WeC Ive Director\n\nSUBJECT: \t   Management response to Draft Audit Report - U.S. Election Assistance Commission\n             Audit of Compliance with the Requirements of the Federal Information Security\n             Management Act (FISMA) Fiscal year 2013 (Assignment No.I-PA-EAC-02-13)\n\nDATE: \t      September 12, 2013\n\n             After reviewing the draft audit report and summary of the audit results of the FISMA\n             Audit, management agrees with the audit result submitted by the auditors.\n\n             As the audit report indicates, management took the necessary actions to address the\n             findings that were found in the previous year audit report and EAC is now substantially\n             in compliance with the FISMA requirements.\n\n             We thank you and the auditors for courtesies and assistance that were extended to EAC\n             during the audit process.\n\n             If you have any questions regarding this response, please do not hesitate to contact me\n             at (202) 566-3110.\n\n\n\n\n             cc: Mohammed Maeruf, CIO \n\n                 Annette Lafferty, CFO \n\n\n\n\n\n                                               4\n\n\x0c                      The OIG audit mission is to provide timely, high-quality\n                      professional products and services that are useful to OIG\xe2\x80\x99s clients.\n                      OIG seeks to provide value through its work, which is designed to\n                      enhance the economy, efficiency, and effectiveness in EAC\nOIG\xe2\x80\x99s Mission         operations so they work better and cost less in the context of\n                      today\'s declining resources. OIG also seeks to detect and prevent\n                      fraud, waste, abuse, and mismanagement in these programs and\n                      operations. Products and services include traditional financial and\n                      performance audits, contract and grant audits, information systems\n                      audits, and evaluations.\n\n\n                      Copies of OIG reports can be requested by e-mail.\n                      (eacoig@eac.gov).\n\n                      Mail orders should be sent to:\nObtaining\nCopies of             U.S. Election Assistance Commission\n                      Office of Inspector General\nOIG Reports\n                      1201 New York Ave. NW - Suite 300\n                      Washington, DC 20005\n                      To order by phone: Voice: (202) 566-3100\n                                          Fax: (202) 566-0957\n\n\nTo Report Fraud,      By Mail: U.S. Election Assistance Commission\nWaste and Abuse                Office of Inspector General\nInvolving the U.S.             1201 New York Ave. NW - Suite 300\nElection Assistance            Washington, DC 20005\nCommission or Help\n                      E-mail:   eacoig@eac.gov\nAmerica Vote Act\nFunds                 OIG Hotline: 866-552-0004 (toll free)\n\n                      FAX: 202-566-0957\n\x0c'